This is a brief summary of bugs fixed between Ubuntu 16.04.1 and 16.04.2. This summary covers only changes to packages in main and restricted, which account for all packages in the officially-supported CD images; there are further changes to various packages in universe and multiverse. Some of these fixes were by Ubuntu developers directly, while others were by upstream developers and backported to Ubuntu. For full details, see the individual package changelogs.

In addition to the bugs listed below, this update includes all security updates from the Ubuntu Security Notice list affecting Ubuntu 16.04.1 LTS that were released up to and including February 15, 2017. The last update included was USN-3197-1 (libgc vulnerability).

Installation bug fixes

Updated CD images are provided with this release, including fixes for some installation bugs. (Many installation problems are hardware-specific; for those, see "Hardware support bugs" below.)

Use full version as BUILD_DATE string in the build process, such that mini.iso mini-info & d-i fake status file correctly declare full buildstamp. Currently it's impossible to tell apart SRU builds from each and from the GA build. LP: #1628149.

ubi-prepare.py: default to disabling Secure Boot when third party drivers are being installed, since it's most likely what people will want. This will also avoid people skipping through this important part of the installer without noticing, only to find their systems not all working correctly. (LP: #1606393)

Modify data/50unattended-upgrades.Ubuntu such that the release pocket is an allowed origin so that security updates with a new dependency will be upgraded and the new dependency will be installed. (LP: #1624641)

DistUpgrade/DistUpgradeCache.py: import kernel initrd size estimation code from update-manager (since u-r-u is the only consumer of it) and refactor in order to give more accurate estimates. LP: #1646222.

Fix LP: #1613258 - Avoid a hard runtime dependency on MADV_FREE when compiled against glibc 2.24, and ensure madvise(MADV_FREE) is allowed in the seccomp policy so that it works when the kernel is upgraded to 4.5

Remove pango_cairo_update_layout.patch and revert to previous version of gtk2-engines-murrine. The patch caused text shadows to be very misaligned for Xfce desktop icon labels with several different themes (LP: #1598316)

Add support for greeters running inside sessions. This is enabled by setting X-LightDM-Allow-Greeter inside the session .desktop file. The session can then use liblightdm to connect one greeter to the daemon. The communication is done using a socket (/var/run/lightdm/<user>/greeter-socket) that is accessible to any process run by that user. Consider controlling access to this socket using a MAC system such as AppArmor. (LP: #1582242)

Fix LP: #1547149 - Stop using device form factor for configuring various WebPreferences options. This also deprecates OxideQWebPreferences::shrinksStandaloneImagesToFit, which never actually worked and the corresponding setting in Blink no longer exists

debian/patches/0001-Fix-trashing-on-overlayfs.patch: Update with new version from the upsstream report to hopefully fix trashing of files in directories which are symlinks to different devices. (Closes: #800047) (LP: #1638245)

Fix LP: #1642317 - misaligned access when running mksnapshot during the armhf build. Add this as a distro-patch to avoid having to fork the v8 repo for upstream checkouts. This isn't a problem for cross-builds anyway

Fix zfs services to fail on first boot due to zfs services starting up before /etc/mtab has a chance to be symlinked to /proc/mounts. (LP: #1607920) (upstream commit 792517389fad5c495a2738b61c2e9c65dedaaa9a)

d/p/bug1638027.patch: Cherry pick fix to ensure that LXD containers can be deleted by deleting the container and then its associated profile, fixing compatibility with later versions of 2.0.x LXD (LP: #1637620).

debian/initramfs/lib/etc/dhcp/dhclient-enter-hooks.d/config: fix script to not write to /run/net-$iface.conf when dealing with IPv6; which should only write to a /run/net6-$iface.conf file. (LP: #1621507)

d/rules: Install upstream provided systemd targets and ensure they are enabled and started on install to ensure that integrations aligned to upstream packaging work with Ubuntu packages (LP: #1646583).

d/ceph.*,d/*.logrotate: Install logrotate configuration in ceph-common, ensuring that all daemons get log rotation on log files, deal with removal of logrotate configuration in ceph for upgrades (LP: #1609866).

replace 'Wants' and 'After' on local-fs.target with more granular After=systemd-remount-fs.service and RequiresMountsFor=/var/lib and Before=sysinit.target. This is done run sufficiently early enough to update /etc/fstab. (LP: #1611074)

split out IPv6 options in its own cmdline parameter: ip6= ; always use dhclient in this case if the value set is anything other than 'off' or 'none'. Furthermore, parse anything other than 'on', 'dhcp' or 'any' as the name of an interface. (LP: #1621507)

scripts/functions: make sure we can try to start all available and suitable interfaces if ip= isn't set when setting up the network, and exit as soon as we get an IP address. This retains the old behavior from ipconfig when ip= is unset, for really simple remote-root scenarios. (LP: #1628306)

Replace maxcpus by nr_cpus nr_cpus is a hard limit that has an impact on the (kdump) kernel memory consumption, while it is not the case with maxcpus=1, as we can theoretically hotplug cpus with maxcpus=1 (LP: #1568952)

define_stampdir() : Loop on hostname -I for 5 sec to get IP address if HOSTTAG=ip. The network stack may not be ready when kdump-config runs. Give it some time before reverting HOSTTAG to hostname if an IP address cannot be found. (LP: #1599561)

Add cio_ignore result to /etc/default/kdump-tools on s390x In order to have crashkernel=128M to work correctly on the s390 architecture the result of cio_ignore -u -k needs to be appended to the KDUMP_CMDLINE_APPEND variable in /etc/default/kdump-tools. This patch adds the required logic to do the proper modification. (LP: #1570775)

73-usb-net-by-mac.rules: Do not run readlink for *every* uevent, and merely check if /etc/udev/rules.d/80-net-setup-link.rules exists. A common way to disable an udev rule is to just "touch" it in /etc/udev/rule.d/ (i. e. empty file), and if the rule is customized we cannot really predict anyway if the user wants MAC-based USB net names or not. (LP: #1615021)

Backport networkd 231. Compared to 229 this has a lot of fixes, some of which we need for good netplan support. Backporting them individually would be a lot more work and a lot less robust, and we did not use/support networkd in 16.04 so far. Drop the other network related patches as they are included in this backport now. (LP: #1627641)

Remove patch hunk that set u->transport to NULL. At the time this code was written for 15.10, it was to prevent an assertion. Now with newer versions of pulse, the opposite is happening in some circumstances (LP: #1574324)

Fix double-quote handling in /proc/cmdline Parsing of the cmdline would fail if double-quotes are encountered in /proc/cmdine (i.e. like when things like "acpi_osi=!Windows 2012" are found in the cmdline). (LP: #1644771)

Backport from upstream to fix a bug in PulseAudio 8 where audio switches to another audio device when an HDMI monitor goes to sleep, thanks to Cristian Klein <cristiklein@gmail.com> for the backport (LP: #1641954)

Cherry-pick upstream commit to complete support for 4.5+ kernels : d/p/0003-Fix-for-the-replacements-made-to-the-kernel-s-cpu_po.patch, d/p/0004-With-the-introduction-of-radix-MMU-in-Power-ISA-3.0-.patch, d/p/0005-Fix-for-Linux-commit-0139aa7b7fa12ceef095d99dc36606a.patch, d/p/0006-Fix-for-Linux-commit-edf14cdbf9a0e5ab52698ca66d07a76.patch, d/p/0007-Fix-to-recognize-and-support-x86_64-Linux-4.8-rc1-an.patch, d/p/0008-Fix-for-a-possible-segmentation-violation-when-analy.patch, d/p/0009-Fix-for-support-of-Linux-4.7-and-later-x86_64-ELF-kd.patch, d/p/0010-Linux-3.15-and-later-kernels-configured-with-CONFIG_.patch These commits are included in version 7.1.7 of crash and are required in order to correctly open 4.5 kernels and newer (LP: #1655625).

debian/patches/ip6_fix_routing_eb9f401f.patch: fix IPv6 routing; we should be able to talk to things outside of link-local addresses; to do this, allow specifying a gateway and interface. (LP: #1229458)

debian/console-setup-linux.setvtrgb.service: add condition to only execute when /dev/tty0 exists. This is the same condition as used by getty@.service unit to prevent attempting setting up VT when none are present. This is a common case on serial only architectures and virtual machines. Resolves degraded boots on s390x/ppc64el. LP: #1660598

Do now show an empty option 4 when using netcfg, without a wifi-card, and when automatic configuration fails. This is achieved by substituting all choices into the question, from two internal select templates of identical options but wifireconf one. This resolves UX bug without changing translation strings or fuzzing any of the existing translations. LP: #1558271

r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an aa-logprof crash by ignoring file events that contains send *and* receive in the request mask. This is an improvement to the previous fix that only addressed events that contained send *or* receive. (LP: #1577051, LP: #1582374)

r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an aa-logprof crash by ignoring file events that contains send *and* receive in the request mask. This is an improvement to the previous fix that only addressed events that contained send *or* receive. (LP: #1577051, LP: #1582374)

live-build/ubuntu-cpc/hooks/042-vagrant.binary: fix unmount handling so that the teardown is done properly /before/ we try to make an image from our filesystem, since otherwise /etc/resolv.conf is broken. LP: #1621393.

invoke-rc.d, service: Only ignore systemd unit dependencies before multi-user.target. "systemctl is-system-running" might still be false in case of running jobs for device/mount/hotplug/dynamic actions units. But in those cases we already do want to respect unit dependencies, as the system is booted up sufficiently to avoid dependency loops. Thus weaken the condition to "multi-user.target is active". This does not change the behaviour for single-user: is-system-running has always been false there, so dependencies continue to be ignored. Fixes installation of packages like PostgreSQL under cloud-init or when manually installing packages right after booting. LP: #1576692

debian/lib/apparmor/functions, debian/apparmor.init, debian/apparmor.service, debian/apparmor.upstart, debian/lib/apparmor/profile-load: Adjust the checks that previously kept AppArmor policy from being loaded while booting a container. Now we attempt to load policy if we're in a LXD or LXC managed container that is using profile stacking inside of a policy namespace. (LP: #1628285)

Rework prompting to display our Secure Boot warning and explanation text more prominently, rather than forcing graphical users to hit "Help" to see the full explanation for why we ask about disabling Secure Boot. (LP: #1595611)

debian/rules: Clean up *.busname units. They are useless in 16.04 as they will always be "condition failed" as kdbus has never existed. But they add ordering constraints which make it impossible to start systemd-networkd.service during early boot, which is an upcoming requirement for cloud-init. (Part of LP: #1636912)

Drop systemd-networkd's "After=dbus.service" ordering so that it can start during early boot (for cloud-init.service). It will auto-connect to D-Bus once it becomes available later, and transient (from DHCP) hostname and timezone setting do not work in 16.04 anyway. (LP: #1636912)